Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2b1e7fe1 authored by Alex Estrin's avatar Alex Estrin Committed by Jason Gunthorpe
Browse files

IB/hfi1: Fix for potential refcount leak in hfi1_open_file() 



The dd refcount is speculatively incremented prior to allocating
the fd memory with kzalloc(). If that kzalloc() failed the dd
refcount leaks.
Increment refcount on kzalloc success.

Fixes: e11ffbd5 ("IB/hfi1: Do not free hfi1 cdev parent structure early")
Reviewed-by: default avatarMichael J Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: default avatarAlex Estrin <alex.estrin@intel.com>
Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
parent 473291b3

drivers/infiniband/hw/hfi1/file_ops.c

+1 −3
Original line number Diff line number Diff line
@@ -196,9 +196,6 @@ static int hfi1_file_open(struct inode *inode, struct file *fp) 
	if (!atomic_inc_not_zero(&dd->user_refcount))

		return -ENXIO;



	/* Just take a ref now. Not all opens result in a context assign */

	kobject_get(&dd->kobj);



	/* The real work is performed later in assign_ctxt() */



	fd = kzalloc(sizeof(*fd), GFP_KERNEL);
@@ -208,6 +205,7 @@ static int hfi1_file_open(struct inode *inode, struct file *fp) 
		fd->mm = current->mm;

		mmgrab(fd->mm);

		fd->dd = dd;

		kobject_get(&fd->dd->kobj);

		fp->private_data = fd;

	} else {

		fp->private_data = NULL;